Title: Secure MCP
Author: bethurban
Published: July 2, 2026

---

 1. [Integrations](https://docs.wpvip.com/integrations/)
 2. [Integrations Center](https://docs.wpvip.com/integrations/center/)
 3. Secure MCP

#  Secure MCP

The **Secure MCP** integration is a single-audited, policy-governed endpoint through
which [AI agents](https://docs.wpvip.com/integrations/center/secure-mcp/connect-an-mcp-client-to-secure-mcp/)
access WordPress VIP applications. It governs which applications an agent can operate
on and which capabilities it can use, and it logs activity.

The Model Context Protocol (MCP) is an open standard that lets AI agents call external
tools. Secure MCP is the WordPress VIP implementation of that standard.

Secure MCP exposes 2 toolsets:

 * **[VIP MCP](https://docs.wpvip.com/integrations/center/secure-mcp/vip-mcp/)**—
   tools for managing the VIP Platform: applications, environments, deployments,
   domains, logs, security configurations, backups, and more.
 * **[WordPress MCP](https://docs.wpvip.com/integrations/center/secure-mcp/wordpress-mcp/)**—
   tools to manage a WordPress site on the VIP Platform: content, configuration,
   and other site-level operations.

An [Org admin](https://docs.wpvip.com/manage-user-access/vip-dashboard/org-roles/)
activates Secure MCP once for the organization via the VIP Dashboard’s [Integrations Center](https://docs.wpvip.com/integrations/center/).
After activation, Org and [App admins](https://docs.wpvip.com/manage-user-access/vip-dashboard/app-role/)
manage access to VIP MCP and WordPress MCP independently for each application.

## Secure MCP toolsets

| Toolset | Purpose | 
| [VIP MCP](https://docs.wpvip.com/integrations/center/secure-mcp/vip-mcp/vip-mcp-tools/) | Operate on the VIP Platform: apps, environments, deployments, domains, env vars, logs, metrics, security settings, backups, WP-CLI, and data sync. | 
| [WordPress MCP](https://docs.wpvip.com/integrations/center/secure-mcp/wordpress-mcp/wordpress-mcp-tools/) | Operate on a WordPress site through the WordPress MCP server that runs inside the site. |

Both toolsets are subject to the authenticated user’s [VIP Dashboard permissions](https://docs.wpvip.com/manage-user-access/vip-dashboard/).
Tools the user cannot use are not registered for the session.

## How access works

[Secure MCP access](https://docs.wpvip.com/integrations/center/secure-mcp/activate-configure-secure-mcp/)
is controlled at 2 levels.

Org admins control the **Global MCP** setting through the [Integrations Center](https://docs.wpvip.com/integrations/center/),
which determines whether MCP is allowed anywhere in the organization.

Once Global MCP is active, access to each toolset is managed per application. For
each application, an Org or [App admin](https://docs.wpvip.com/manage-user-access/vip-dashboard/app-role/)
can independently enable or disable the **VIP MCP** and **WordPress MCP** toolsets.
An application with both toolsets disabled is not reachable by an agent, even while
Global MCP is active.

## Call log

Every MCP tool call is recorded. The **MCP Call Log** lists Secure MCP tool calls
across all applications in an organization, and a per-environment view lists the
calls for a single environment. Entries generated through an agent are attributed
to the authorizing user and marked with an **MCP** source indicator, which distinguishes
agent-initiated actions from actions taken directly in the VIP Dashboard.

## Roles and permissions

Activating Secure MCP requires an Org admin role, and changing toolset access for
an application requires an Org or App admin role. Viewing the **MCP Call Log** requires
the audit events permission. A user who lacks that permission sees an unauthorized
message in place of the log. Manage roles and permissions via the [**People** panel](https://docs.wpvip.com/vip-dashboard/organization-view/people/)
in the VIP Dashboard.

Last updated: July 02, 2026